Summary
XWork ParameterInterceptors bypass allows OGNL statement execution
| Who should read this | All Struts 2 developers |
|---|---|
| Impact of vulnerability | Remote server context manipulation |
| Maximum security rating | Critical |
| Recommendation | Developers should immediately upgrade to Struts 2.0.12 or upgrade to XWork 2.0.6 |
| Affected Software | Struts 2.0.0 - Struts 2.0.11.2 |
| Original JIRA Ticket | XW-641, WW-2692 |
| Reporter | Meder Kydyraliev, Google Security Team |
Problem
OGNL provides, among other features, extensive expression evaluation capabilities (http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html). The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.
So, for instance, to set #session.user to '0wn3d' the following parameter name can be used:
('\u0023' + 'session[\'user\']')(unused)=0wn3d
which will look as follows once URL encoded:
('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d
Solution
As of XWork 2.0.5, being part of the Struts 2.0.11.2 release, the ParameterInterceptor was changed to provide a whitelist mechanism for acceptable, non malicious parameter names. Therefore, in the example above, the given parameter will be ignored. Nevertheless there are still cases where the whitelist mechanism does not prevent the context from being manipulated, thus XWork 2.0.5 and Struts 2.0.11.2 do not fix the issue satisfactorily.
As of XWork 2.0.6, being part of the Struts 2.0.12 release, the ParametersInterceptor applies stack changes to a copy of the original value stack, for which context parameters which might be subject to manipulations are cleared beforehand.
You can either obtain a copy of the released XWork 2.0.6 jar as a drop in replacement for the XWork 2.0.4 / 2.0.5 jar used in Struts 2.0.9 and above, or download a full release of Struts 2.0.12, which contains the corrected XWork library.